These days, Nick Bradley is policing the world of cyberthreats in his role as practice lead of the IBM X-Force Incident Response and Intelligence Services (IRIS) Threat Analysis Group — but that wasn’t always the plan.

Nick comes from a multigenerational military family — his daughters are currently about to enter the service. Growing up in “middle of nowhere Florida,” there weren’t many options for Nick; he could either follow his family into the military or go to work at the local federal prison as a correctional officer. He pursued the best of both worlds by entering active duty with the Army military police, working his way to sergeant and switching to Reserves so he could study and become an officer, all the while maintaining a private hobby building computers and gaming.

One day, Nick came into work at the dispatch desk to find the computer switched off; it had a virus, the desk sergeant said, and they needed to wait for IT to come and fix it tomorrow.

“So I cleaned it up because I knew how to,” remembers Nick. “And it was something simple, too — it wasn’t some bleeding edge virus, it was one that had been out there forever. Back then, people had viruses on machines all the time. So I cleaned that up and went to work, didn’t think anything more of it.

“Then the next morning when all of the brass came in, I got called into the sergeant major’s office, and he wanted to know how I knew how to fix that computer.”

Changing Careers Under Orders

Nick’s personal tech interests ended up causing a major turn in his career. The brass told him he had a new job as a system administrator in the provost marshal’s office, and the rest is history.

“The thing was, in my mind, I still wanted to be military police, and so I was just doing this because that’s what they ordered me to do,” he says. “I even got accepted into the SWAT, or what the Army calls the SRT, and I did that on weekends so I could still be a cop.”

Nick later went to the Army Reserve and joined the Army R.O.T.C. program with the goal of becoming a commissioned officer. During that time, he also picked up some contract IT work to help pay the bills. Ultimately, it was this part-time job that led to a full-time career with Internet Security Systems — later acquired by IBM — and Nick decided not to commission back into active duty.

“It was an extremely hard decision because I love the military, but I realized I was going to be able to make a difference in this field that I never even knew existed, and that I was going to be able to provide a better life for my wife and kids.”

These days, Nick is still patrolling and protecting — he’s just a bit more desk-bound than he was while on active duty. Running the threat analysis group inside X-Force IRIS means Nick is in charge of the team that scours the net for signs of threats, turning it all into actionable intelligence not just for IBM clients, but for the world at large.

Quick to point out their role within a larger team — and that a lot of other groups contribute to the threat analysis — Nick explains how he and his X-Force IRIS colleagues identify issues. Using proprietary tools, the team scrapes the internet for text featuring keywords and information they find important: security patches being released, vulnerabilities exposed, breach disclosures and other info. They also have other groups within IBM they use as trusted sources, such as the incident response side of X-Force IRIS and IBM Trusteer, as well as external companies including Cisco Talos, Palo Alto Networks, Trend Micro and others.

Actionable Security Intelligence Beats the Bad Guys

“Our primary goal is to parse through all that noise and sort out what is hot versus what is just hype,” Nick says, explaining that the important information is made available through the team’s daily newsletter and through X-Force Exchange Collections.

“We don’t just want to be the person running around screaming ‘the sky is falling’ — we want to be the one telling you here’s where you go so you don’t get hurt. So we are always trying to share not just the intel, but also some form of action that can be taken, or actionable intelligence. That ranges from mitigation recommendations to actual indicators of compromise, what’s called IoC, and those can usually be directly loaded into protection platforms or into SIEMs.”

After nearly two decades watching threats and developing mitigations, Nick says the biggest thing that’s changed in cybersecurity is that the world now (finally!) takes it seriously. It used to be difficult to get a company to spend money on security; once they started seeing competitors suffer financial and reputational damage, though, that all changed.

But if the good news is that everyone has become more security-savvy, flip side is that the “bad guys are getting more sophisticated as well,” Nick says. Plus, there’s now there’s a “trickle-down” effect where high-level threat actors and advanced persistent threat (APT) groups release their tools onto the web, and lesser groups then access them to wreak their own havoc.

“One thing I think has significantly changed is the idea of hacking for infamy and glory,” says Nick. “For the longest time it was about compromising somebody and defacing their website — ‘you’ve been hacked, haha.’ It still happens, but that’s not the focus anymore. The focus now is espionage; it’s about money, sabotage, political agendas.”

All that must be hard for a guy from a law enforcement background. Nick says it was difficult at first to get used to mitigating, defending and protecting instead of directly going after the bad guys.

“That is a stark difference,” he says, “but I still think you make a better impact with protecting and defending than you would trying to go after individuals. We leave that to the FBI.”

Meet IBM X-Force incident command leader Mike Barcomb

More from Incident Response

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

PR vs cybersecurity teams: Handling disagreements in a crisis

4 min read - Check out our first two articles in this series, Cybersecurity crisis communication: What to do and Crisis communication: What NOT to do. When a cyber incident happens inside an organization, everyone in the company has a stake in how to approach remediation. The problem is that not everyone agrees on how to handle the public response to cyber crisis communication. Typically, in any organization, the public relations team handles the relationship between the company and the media, who then decide…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today